Analysis
-
max time kernel
140s -
max time network
150s -
platform
windows7_x64 -
resource
win7 -
submitted
01-08-2020 19:30
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Trojan.GenericKD.43529991.18963.10385.exe
Resource
win7
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Trojan.GenericKD.43529991.18963.10385.exe
Resource
win10
General
-
Target
SecuriteInfo.com.Trojan.GenericKD.43529991.18963.10385.exe
-
Size
1.1MB
-
MD5
7e30a93f146632fb1f17202b76297bc9
-
SHA1
178ca4abed0673ddb9a674d8f108c79f33099454
-
SHA256
b7ae0f7d14ce9a3423d5424845c5e70ca17d14b13631f21396248cad04027a35
-
SHA512
a2f865b4641dd48d4fa8fdf09e3b943b27047d585301e1bd9b246af12cb081a489b5f5e2735e77cab334dd627494a4bb9cf1081874a7b0bdb32b80d824a94c43
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 38 IoCs
Processes:
SecuriteInfo.com.Trojan.GenericKD.43529991.18963.10385.exebdif.execmd.exedescription pid process target process PID 1376 wrote to memory of 1224 1376 SecuriteInfo.com.Trojan.GenericKD.43529991.18963.10385.exe bdif.exe PID 1376 wrote to memory of 1224 1376 SecuriteInfo.com.Trojan.GenericKD.43529991.18963.10385.exe bdif.exe PID 1376 wrote to memory of 1224 1376 SecuriteInfo.com.Trojan.GenericKD.43529991.18963.10385.exe bdif.exe PID 1376 wrote to memory of 1224 1376 SecuriteInfo.com.Trojan.GenericKD.43529991.18963.10385.exe bdif.exe PID 1224 wrote to memory of 1528 1224 bdif.exe REG.exe PID 1224 wrote to memory of 1528 1224 bdif.exe REG.exe PID 1224 wrote to memory of 1528 1224 bdif.exe REG.exe PID 1224 wrote to memory of 1528 1224 bdif.exe REG.exe PID 1224 wrote to memory of 1696 1224 bdif.exe rundll32.exe PID 1224 wrote to memory of 1696 1224 bdif.exe rundll32.exe PID 1224 wrote to memory of 1696 1224 bdif.exe rundll32.exe PID 1224 wrote to memory of 1696 1224 bdif.exe rundll32.exe PID 1224 wrote to memory of 1696 1224 bdif.exe rundll32.exe PID 1224 wrote to memory of 1696 1224 bdif.exe rundll32.exe PID 1224 wrote to memory of 1696 1224 bdif.exe rundll32.exe PID 1224 wrote to memory of 1764 1224 bdif.exe REG.exe PID 1224 wrote to memory of 1764 1224 bdif.exe REG.exe PID 1224 wrote to memory of 1764 1224 bdif.exe REG.exe PID 1224 wrote to memory of 1764 1224 bdif.exe REG.exe PID 1224 wrote to memory of 1864 1224 bdif.exe rundll32.exe PID 1224 wrote to memory of 1864 1224 bdif.exe rundll32.exe PID 1224 wrote to memory of 1864 1224 bdif.exe rundll32.exe PID 1224 wrote to memory of 1864 1224 bdif.exe rundll32.exe PID 1224 wrote to memory of 1864 1224 bdif.exe rundll32.exe PID 1224 wrote to memory of 1864 1224 bdif.exe rundll32.exe PID 1224 wrote to memory of 1864 1224 bdif.exe rundll32.exe PID 1224 wrote to memory of 2004 1224 bdif.exe cmd.exe PID 1224 wrote to memory of 2004 1224 bdif.exe cmd.exe PID 1224 wrote to memory of 2004 1224 bdif.exe cmd.exe PID 1224 wrote to memory of 2004 1224 bdif.exe cmd.exe PID 1224 wrote to memory of 2016 1224 bdif.exe REG.exe PID 1224 wrote to memory of 2016 1224 bdif.exe REG.exe PID 1224 wrote to memory of 2016 1224 bdif.exe REG.exe PID 1224 wrote to memory of 2016 1224 bdif.exe REG.exe PID 2004 wrote to memory of 988 2004 cmd.exe schtasks.exe PID 2004 wrote to memory of 988 2004 cmd.exe schtasks.exe PID 2004 wrote to memory of 988 2004 cmd.exe schtasks.exe PID 2004 wrote to memory of 988 2004 cmd.exe schtasks.exe -
Executes dropped EXE 1 IoCs
Processes:
bdif.exepid process 1224 bdif.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 1696 rundll32.exe 1696 rundll32.exe -
Blacklisted process makes network request 2 IoCs
Processes:
rundll32.exerundll32.exeflow pid process 6 1696 rundll32.exe 10 1864 rundll32.exe -
NTFS ADS 1 IoCs
Processes:
SecuriteInfo.com.Trojan.GenericKD.43529991.18963.10385.exedescription ioc process File created \??\c:\programdata\1321ba6d1f\bdif.exe:Zone.Identifier SecuriteInfo.com.Trojan.GenericKD.43529991.18963.10385.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
REG.exeREG.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run REG.exe Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\cred = "rundll32 C:\\Users\\Admin\\AppData\\Local\\Temp\\cred.dll, Main" REG.exe Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run REG.exe Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\scr = "rundll32 C:\\Users\\Admin\\AppData\\Local\\Temp\\scr.dll, Main" REG.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Loads dropped DLL 10 IoCs
Processes:
SecuriteInfo.com.Trojan.GenericKD.43529991.18963.10385.exerundll32.exerundll32.exepid process 1376 SecuriteInfo.com.Trojan.GenericKD.43529991.18963.10385.exe 1376 SecuriteInfo.com.Trojan.GenericKD.43529991.18963.10385.exe 1696 rundll32.exe 1696 rundll32.exe 1696 rundll32.exe 1696 rundll32.exe 1864 rundll32.exe 1864 rundll32.exe 1864 rundll32.exe 1864 rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.43529991.18963.10385.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.43529991.18963.10385.exe"1⤵
- Suspicious use of WriteProcessMemory
- NTFS ADS
- Loads dropped DLL
-
\??\c:\programdata\1321ba6d1f\bdif.exec:\programdata\1321ba6d1f\bdif.exe2⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v cred /t REG_SZ /d "rundll32 C:\Users\Admin\AppData\Local\Temp\cred.dll, Main"3⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\cred.dll, Main3⤵
- Suspicious behavior: EnumeratesProcesses
- Blacklisted process makes network request
- Loads dropped DLL
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v scr /t REG_SZ /d "rundll32 C:\Users\Admin\AppData\Local\Temp\scr.dll, Main"3⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\scr.dll, Main3⤵
- Blacklisted process makes network request
- Loads dropped DLL
-
C:\Windows\SysWOW64\cmd.execmd.exe /C SCHTASKS /Create /SC HOURLY /MO 1 /TN a174c1ef10e2077451f5b6dda83242a1 /TR c:\programdata\1321ba6d1f\bdif.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /Create /SC HOURLY /MO 1 /TN a174c1ef10e2077451f5b6dda83242a1 /TR c:\programdata\1321ba6d1f\bdif.exe4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d c:\programdata\1321ba6d1f3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\1321ba6d1f\bdif.exe
-
C:\ProgramData\a174c1ef10e2077451f5b6dda83242a1
-
C:\Users\Admin\AppData\Local\Temp\cred.dll
-
C:\Users\Admin\AppData\Local\Temp\scr.dll
-
\ProgramData\1321ba6d1f\bdif.exe
-
\ProgramData\1321ba6d1f\bdif.exe
-
\Users\Admin\AppData\Local\Temp\cred.dll
-
\Users\Admin\AppData\Local\Temp\cred.dll
-
\Users\Admin\AppData\Local\Temp\cred.dll
-
\Users\Admin\AppData\Local\Temp\cred.dll
-
\Users\Admin\AppData\Local\Temp\scr.dll
-
\Users\Admin\AppData\Local\Temp\scr.dll
-
\Users\Admin\AppData\Local\Temp\scr.dll
-
\Users\Admin\AppData\Local\Temp\scr.dll
-
memory/988-21-0x0000000000000000-mapping.dmp
-
memory/1224-2-0x0000000000000000-mapping.dmp
-
memory/1528-5-0x0000000000000000-mapping.dmp
-
memory/1696-6-0x0000000000000000-mapping.dmp
-
memory/1764-12-0x0000000000000000-mapping.dmp
-
memory/1864-13-0x0000000000000000-mapping.dmp
-
memory/2004-19-0x0000000000000000-mapping.dmp
-
memory/2016-20-0x0000000000000000-mapping.dmp